Typically, there are three possible power states for a computing system. The first power state is the unpowered state, when the computing system is not connected to any power supply (for example not connected to an electric outlet or to a main battery). The second power state is the standby power state, also known as Soft Off (G2/S5) or hibernation (S4 Non-Volatile Sleep) mode, when the computing system is connected to a power supply (for example plugged into an electric outlet or the main battery is in the battery bay) but the computing system has not been turned on (i.e. not been powered up). The third power state is the power on state, when the computing system is powered up (i.e. turned on).
A computing system may be reset for example with a cold boot host platform reset (which includes a power on self test for example after turning on the computing system), a hardware host platform reset (i.e. a reset of computing system components), or a warm (also known as soft) boot host platform reset (i.e. a software caused reset). After the computing system has been reset, there follows a typically although not necessarily short reset period. During the reset period, a host central processing unit CPU in the computing system is not active. The Basic Input/Output System (BIOS) is the software code and/or data that the host CPU in the computing system uses to get the computing system started (i.e. to boot up the computing system) after the reset period has ended. The BIOS may for example manage data flow between the operating system of the computing system and attached devices such as the hard disk, video adapter, keyboard, mouse, printer, etc. The BIOS may also for example prepare the computing system so that other software programs stored on various media (such as hard drives, floppies, and CDs) can load, execute, and assume control of the computing system.
In order to perform an integrity check of the system, after the reset period has ended, part or all of the BIOS may be measured (for example hashed). Performing the BIOS measurement defers the running of the BIOS and the subsequent loading of the operating system.
The host CPU may hash part or all of the BIOS, after the reset period has finished. Alternatively, after the reset period has ended the host CPU may use another module which preferably can perform the hashing of the BIOS more quickly than the CPU at that point in time.
One type of security module which may be used to check the integrity of the BIOS is a Trusted Platform Module (TPM) which conforms with one or more Trusted Computing Group (TCG) specifications.
In the TCG specifications, the static core root of trust for measurement CRTM is the immutable part of the computing device initialization code which executes after the computing system has been reset. The trust in the host platform (the host platform including the motherboard, host CPU, host root of trust measurement RTM, TPM, and all host peripherals that are attached to the motherboard) is based on the static CRTM. In one implementation, the BIOS boot block is termed the static CRTM. After the reset period has ended, the static CRTM executed by the CPU initializes a TPM driver which is used by the host CPU to read, write and control the TPM. The CPU reads a section of the BIOS (other than the static CRTM) and feeds the section of the BIOS to the TPM for hashing. The TPM hashes the section of the BIOS. The CPU reads the hashed BIOS section and the hashed BIOS section or a function thereof is stored in one or more platform configuration register PCR in the TPM. Alternatively, the TPM stores the hashed BIOS section or a function thereof in one or more PCR.